Tag: HTTPS

Last year Twitter implemented a security feature that allowed its users to browse the site via a secured HTTP connection (HTTPS). This feature was not enabled by default and users had to go to their Settings and enable the feature. However, Twitter now wants to secure user profiles and has made the feature enabled by default.

Using HTTPS will not only help protect the privacy of millions of users, but also offers greater protection when accessing the network over unsecured Wi-Fi connections. Websites with a HTTPS connection is much preferred, since it is one of the most secure ways of sending and receiving content on the web. Many Google services including Gmail make use of the HTTPS protocol by adding up an extra layer of security.

Using a site over an unsecured Wi-Fi connection and without having HTTPS enabled, could let hackers gain access to your account with the help of a session cookie. In this case, if you’re using Twitter via an unprotected connection, then the hacker can possible post tweets and read all your Direct Messages without your knowledge.

With HTTPS enabled, it now makes Twitter secured and encrypts your login sessions. That way, no hacker can sneak into your account or gain access to it.

Twitter posted an official statement on its blog explaining the new feature –

Last year, we added the option to always use HTTPS when accessing Twitter.com on the web. This setting makes your Twitter experience more secure by protecting your information, and it’s especially helpful if you use Twitter over an unsecured Internet connection like a public WiFi network.

Now, HTTPS will be on by default for all users, whenever you sign in to Twitter.com. If you prefer not use it, you can turn it off on your Account Settings page. HTTPS is one of the best ways to keep your account safe and it will only get better as we continue to improve HTTPS support on our web and mobile clients.

As the feature now comes enabled by default, users, however, can opt-out if they prefer not to use it. Simply go to your Twitter Settings page and uncheck the “Always use HTTPS” option –

It is recommended that you keep this feature enabled in order to keep your account and data safe. If you’re always using Twitter out and about, it is highly recommended that you use the HTTPS setting and leave it that way forever.

Facebook too has an option for its users to enable HTTPS, but this is yet to become a default feature.

If you thought the site you were browsing was secure simply due to the little s at the end of HTTP, you may want to re-evaluate.

Security researchers at ACROS have posted details concerning a vulnerability in versions 14 and 15 of Google’s Chrome browser. The issue comes from an inconsistency that Chrome has when following and rendering redirections to other web pages. This means that an attacker can redirect a visitor to a page that looks identical to a legitimate page, with a real looking HTTPS URL, when infact they are not on the expected page. This can lead to theft of credentials, credit cards and other personal information.

The crux of the issue comes down to Chrome being very quick to update the address bar, even before any of the page content has actually loaded. This allows the researchers to change the destination without it being reflected to the address bar. Most users will “confirm” they are on the correct page simply by reading the address page and matching it with what they are looking at, especially when the majority only visit a handful of specific websites.

While the newest releases of Chrome (16, beta and above) have had this issue resolved, Google’s browser holds a relatively large marketshare of approximately 20% world wide. That’s more than 70 million. If over 75% of those users have updated version, one can speculate that roughly 1.7 million users are susceptible to this attack. With Google’s auto-update mechanism, it’s highly unlikely that there are so many old installations.

At Techie-Buzz alone, more than 1 million of the 3.5+ million visitors use Chrome. Google Chrome has been growing at a very rapid rate, pushing Microsoft’s Internet Explorer and Mozilla’s Firefox lower and lower. Chances are, you’re using Chrome because it’s fast, so if you want to stay as safe as possible, keep Chrome updated and take a look at some of the popular security/privacy extensions.

JavaScript is a scripting language which is used to provide a lot of functionalities to users without them noticing it. It also powers some of the best known web services out there including Gmail and more. However, did you know that a faulty or rogue JavaScript can also cause havoc on your system?

Well, how would you know that unless your browser told it? However, not all browsers tell you when a JavaScript is insecure, but you can count Google Chrome as your friend in this case (at-least the dev version on HTTPS), because it has started to block Insecure scripts while you are browsing a website on a HTTPS connection.

As you can see from the above screenshot, Google Chrome now shows you a message saying that it has blocked an insecure script from running on the browser, whilst proving you an option to "Load Anyway". This is done to protect users from running harmful scripts on their system.

This behavior in Google Chrome is similar to them blocking users from accessing harmful websites that they have in their database an will be useful in protecting users.

The help page on this topic shows what Google is doing exactly:

When a website is secured via HTTPS, the web site designer must also ensure that all of the scripts used by the page will be delivered in the same secure manner as the main page itself. The same requirements also apply to the plugins and external CSS stylesheets used by the page, as these have the same considerations as javascript.

When this is not the case (sometimes called a mixed scriptsituation), visitors to the site run the risk that attackers can interfere with the website and change the script so as to serve their own purposes.

Traditionally, browsers have run the mixed script, genuine or not, and notified you after-the-fact by a broken lock icon, a dialog box, or a red https:// in the location bar (in the case of Google Chrome). The problem with this approach is that by the time the script has run, it is already too late, because the script has had access to all of the data on the page.

Google Chrome now protects you by refusing up-front to run any script on a secure page unless it is also being delivered over HTTPS. Data on the page remains secure even in the presence of an attacker, but the downside is that this may cause pages to display improperly. You may wish to let the website owner know that their site is not properly secured. (Note that a poorly-written extension can also sometimes cause this).

You can bypass this protection by clicking Allow Anyway, in which case Google Chrome will refresh the page and load the insecure content. You will then see an https:// displayed in red in the location bar indicating that the page could not be secured.

The above description says that Chrome is only blocking scripts which are served through non-HTTPS on a HTTPS connection. Hopefully, the will improve this behavior and also display the same message on the browser when a known rogue script is running on a website.

Few days back I wrote an article about FaceNiff, an Android app that lets users access web sessions profiles over Wi-Fi networks and hijack your connected Facebook or Twitter account. If your connection is unsecured, then anyone using FacNiff can easily deflect your data or steal your information.

How to protect your accounts from FaceNiff?

Here’s a tip you can follow. In order to protect your Facebook and Twitter accounts from being hijacked, always browse using a https connection.

FaceNiff, however, cannot hijack accounts that use https browsing. HTTPS encrypts the data sent and received with SSL, thus making it impossible to access your account.

By default, Facebook’s and Twitter’s https browsing is disabled. You must enable it manually from it’s settings page.

Facebook: Go to Account Settings and scroll down to Manage Account Security. Enable secure browsing by ticking it and save the settings.

Twitter: Go to Settings page and scroll down to enable https browsing. You’ll be prompted to re-enter your password to save the settings.

Today, Twitter has officially brought back that feature for everyone and now allow users to switch to HTTPS browsing by making a change to their settings. By default, Twitter will start using the HTTPS protocol for any validations done through them and also in the official Twitter apps for iPhone and iPad.

However, mobile users will have to forcefully load https://mobile.twitter.com to make use of the HTTPS feature. Twitter is working on using HTTPS for mobile users who select the above option automatic in future.

Using HTTPS is a good way to encrypt your data while you browse on the internet and this move is definitely good. Other major providers which provide HTTPS support include Facebook, Gmail and Hotmail.

Facebook, today announced their continued attempts at providing security to their users by allowing users to switch to secure browsing using HTTPS on the site. The new feature is opt-in and users will have to visit their "Account settings" page to turn on HTTPS browsing on Facebook.

To enable HTTPS support on Facebook, head over to this page and click on the "change" link next to "Account Security". You will be shown an option to turn on secure browsing for Facebook. Click on the checkbox next to the option and then hit the Save button to start browsing Facebook securely.

Please note, the secure browsing option is not yet available to all users and will be rolled out gradually. In addition to providing users with secure browsing. Facebook is also going to change the captchas on their site to social authentication. So instead of displaying you with a captcha while adding links or during other activities on Facebook, you will now be shown a picture of your friend and will be asked to identify them.

Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don’t know who your friends are.

The new social authentication is a step towards is to thwart attempts by hackers who could easily crack your passwords but might not know who your friends are. Social Authentication is a beta feature and is being tested out currently, so don’t expect it to be perfect.

Though both Twitter and Facebook have had support for HTTPS for a long time now, they do not enforce HTTPS on users and instead allow them to type the URLs in the browser.

However, it looks like Twitter has now rolled out a new setting which allows users to Always user HTTPS. To enable this setting you can go to your profile and edit settings (or go to http://twitter.com/settings/account) and check the box next to “Always use HTTPS”.